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o Setting  the  Stage 

Pente sting , Red  Teaming,  and  the 
“Assume  Breach”  Mentality 


Penetration  Testing 


A ° Definition  ranges  anywhere  from  a single 
person  running  a (slightly)-glorified  vuln 
scan,  to  a full  on  multi-person  assault  for 
several  weeks 

° Reasonable  Balance:  breadth  vs.  depth,  find 
as  many  holes  as  you  can  and  see  how  far 
you  can  get  in  a limited  timeframe 

° Generally  focused  on  finding  issues  and  not 
about  training/exercising  processes 


Red  Teaming 


°Red  teaming  means  different  things 

to  different  people 

° physical  ops 

n in-depth  social  engineering 
° custom  exploit  dev 
n pure  network  based  operations 
° adversary  emulation 
° etc. 


° Common  thread  of  increased  time 
frame,  more  permissive  scope 
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• “Assume  Breach”  Mentality 

Q 0 With  the  rash  of  recent  major 
incidents,  organizations  have 
started  to  realize  that  they’re 
probably  already  owned 

° You’re  not  going  to  stop  the  bad 
guys  from  getting  in  the  front  door 

0 Companies  need  to  implement  an 
“assume  breach”  way  of  thinking 


Bridging  the  Gap 


Q 0 Red  Teaming  historically: 

° specialized  toolsets,  expanded 
timeframe,  large  team  size,  lots  of  $$$ 

0 Our  approach  has  been  to  build 
tools  that  automate  a lot  of  this 

previously  specialized  tradecraft 
° PowerShell plays  a big  role  here 

°We  also  try  to  distribute  a 
knowledgebase  of  these  tactics 


Why  PowerShell? 


° “ Microsoft ’s  post-exploitation 
language”  - @ obscure  sec 

0 PowerShell  provides  (out  of  the 
box): 

° Full  .NET  access 
° application  whitelist  bypassing 
° direct  access  to  the  Win32  API 
° ability  to  assemble  malicious  binaries  in 
memory 

° default  installation  Win7+  ! 


Just  a “Toy  Language”? 


• Social  Engineering  Toolkit 

• Veil  Framework 

• PowerUp 

• PowerVJew 

• PowerShell  Empire 


• Nishang 

• Metasploit 

• Powercat 


The  Weaponization 

Problem 


( ° There’s  been  an  sharp  increase  in 

offensive  PowerShell  projects  over  the 
past  year 

° But  many  people  still  struggle  with 
how  to  securely  work  PowerShell  into 
engagements 

° Using  existing  tech  at  this  point  hasn’t 
always  been  the  most  straightforward 


Weak  Standard  Images 

Spreading  vulnerabilities  by  design... 


Standard  Images 


( ° Organizations  typically  utilize  some 

standard  image  per  internal  business 
unit  or  across  the  entire  enterprise 
° Frequently  contracted  to  3rd  parties 

° Security  of  this  image  is  paramount 

° Exploitation  of  this  image  gets  us 
beyond  the  beachhead 
° Enables  further  spread 


Windows  Services 


Q 0 One  of  the  most  effective 

escalation  vectors  was  (and  still  is) 

vulnerable  Windows  services 
° Sometimes  can  modify  a service  itself 


0 Howe ver,  many  organizations 
overlook  the  permissions  for 

service  binaries  :) 

° Overwrite  the  service  binary  to  add  a 
local  user  or  install  an  agent 


.DLL  Hijacking 


0 Many  programs/ services  will  search 
in  multiple  locations  when  loading, 
including  directories  listed  in  the 
%PATH%  environment  variable 

0 If  you  have  write  access  to  any 
folder  in  %PATH%,  th  ere’s  a good 
chance  you  can  drop  a malicious 
DLL  and  escalate  privileges  on 
Windows  7 


Standard  Image  Analysis 


O 0 PowerUp  - PowerShell  tool  to 
automate  common  Windows 

privilege  escalation  vectors 
D Part  of  PowerTools 
D Invoke-AIIChecks  will  run  all  current 
checks  against  a host 


°We  also  manually  inspect  each 
standard  image  in  depth  to 
discover  enterprise  “0-days” 


Custom  Internal 

De  velopment 

Is  the  most  common  root  cause  of 
escalation  vectors  we  find. 


Network/User  Hygiene 

It’s  just  not  hard  to  find  targets... 


Dirty  Networks 


0 This  is  a major  catch  all  issue... 

° Network  Hygiene  - Random  default 
services  existing  with  little  knowledge  by 
IT  staff  (ie.  Tomcat,  Cold  Fusion,  etc) 


D User  Hygiene  - Lots  of  old  users,  admin 
users,  overly  delegated  groups,  and  long 
running  interactive  logons 


One  of  the  first  steps  in  a network 
is  to  identify  how  ‘dirty’ it  is 

Hunt  ->  pop  box  ->  Mimikatz  ->  profit 
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Invoke-UserHunter 


Q °PowerView  function  that: 

° queries  AD  for  hosts  or  takes  a target  list 
n queries  AD  for  users  of  a target  group,  or 
takes  a list/single  user 
n uses  Win32  API  calls  to  enumerate 
sessions  and  logged  in  users,  matching 
against  the  target  user  list 

0 You  don’t  need  administrative 
privileges  to  get  a ton  of 
information ! 


Invoke-UserHunter  -Stealth 


Q “Uses  an  old  red  teaming  trick 

1 Queries  AD  for  all  users  and  extracts  all 
homeDirectory  fields  to  identify  likely 
domain  file  servers 

2.  Runs  NetSessionEnum  against  each  file 
server  to  enumerate  remote  sessions, 
matching  against  target  user  list 

“Gets  reasonable  coverage  with  a 
lot  less  traffic 

° also  doesn’t  need  admin  privileges 


Most 

Organizations 

Have  terrible  privileged  account 
hygiene  in  their  networks. 

This  makes  our  job  much  easier. 


Domain  Trusts 

Or:  Why  You  Shouldn’t  Trust  AD 


Domain  Trusts  10 1 


0 Trusts  allow  separate  domains  to 
form  inter-connected  relationships 

° A trust  just  links  up  the 
authentication  systems  of  two 

domains  and  allows  authentication 
traffic  to  flow  between  them 

0 Atrust  allows  for  the  possibility  of 
privileged  access  between 
domains,  but  doesn’t  guarantee  it* 


So  What? 


° Why  does  this  matter? 

°Red  teams  often  compromise 
accounts/machines  in  a domain 

trusted  by  their  actualtarget 
° This  allows  operators  to  exploit  these 
existing  trust  relationships  to  achieve 
their  end  goal 

0 More  information: 

° http://www.harmjOy.net/blog/tag/domain-trusts/ 


PowerView 


Q 0 Domain/forest  trust  relationships 
can  be  enumerated  through 
several  PowerView  functions: 

° Get-NetForest:  information  about  the 
current  domain  forest 
° Get-NetForestTrust:  grab  all  forest  trusts 

D Get-NetForestDomain:  enumerate  all 
domains  in  the  current  forest 
° Get-NetDomainTrust:  find  all  current 
domain  trusts,  a la  nltest 


Using  Domain  Trusts 


Q 0 If  a trust  exists,  most  functions  in 
PowerView  can  accept  a “-Domain 
<name>”  flag  to  operate  across  a 
trust: 

° Get-NetDomainController 
° Get-NetUser 
° Get-NetComputer 
° Get-NetFileServer 
° Get-NetGroup 
° Get-NetGroupMember 
° Invoke-UserHunter,  etc. 


We  Often 

Understand 

An  organization’s  domain  trust  mesh 
better  than  they  do  by  the  end  of  an 
engagement. 


The  Mimikatz 

Trustpocalyp  se 


0 


Mimikatz  Golden  Tickets  now  accept 
SidHistories 

° though  the  new  /sids:<X>  argument 
n thanks  @gentilkiwi  and  @PyroTek3  ! 

If  you  compromise  a DC  in  a child 
domain,  you  can  create  a golden 
ticket  with  the  “Enterprise  Admins”  in 
the  sid  history 

This  can  let  you  compromise  the 
parent  domain 


The  Mimikatz 

Trustpocalyp  se 


0 


If  you  compromise 
any  DA  credentials 
anywhere  in  a forest, 

you  can  compromise 
the  entire  forest! 


0 


KEEP 

CALM 


REBUILD  THE 
ENTIRE  FOREST 


0 Empire 

APure  PowerShell 
Post-Exploitation  Agent 
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• First  Things  First 

Q 0 This  tool  would  not  be  possible  if  it 
wasn’t  for  the  help  and  phenomenal 
work  from  these  people: 

° ©manifestation,  @obscuresec, 
@josephbialek 

https://github  .com/m  at  tife  station/PowerS  ploit/ 
n @tifkin_ 

http  s :// git  hub. com/leechris  tense  n/ 

° @carlos_perez,  @benOxa,  @mwjcomputing, 
@pyrotek3,  @subtee,  and  the  rest  of  the 
offensive  PowerShell  community ! 


Empire? 


0 Empire  is  a full-featured  PowerShell 
post-exploitation  agent 

0 Aims  to  provide  a rapidly 
extensible  platform  to  integrate 
offensive/defensive  PowerShell 
work 

0 An  attempt  to  train  defenders  on 
how  to  stop  and  respond  to 
PowerShell  “attacks” 


Methods  of  Execution 


Q 0 Small  “stager”  that  can  be  manually 
executed  or  easily  implemented 
elsewhere 

° A powershe  11  command  block  can  load  an 
Empire  agent 

° Lots  of  formats  (.bat,  .vbs,  .dll,  etc.) 

° Listeners  are  the  “server”  side  of  the 
whole  system 

° Configuration  of  the  agent  set  here 
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• Empire  Staging 


Control  Server 

Client 

■ 

1.  GET  /<stageO> 

:■ 

2.  return  key  negotiation  stager.psl  w/  shared  AES 

staging  key 

■ 

■ 

3.  gen  priv/pub  keys,  post  ENCstaging(PUB)  to  /<stage1> 

- 

4.  return  ENCpub(epoch  + AES  session  key) 

5.  decrypt  session  key,  post  ENCsession(sysinfo)  to  /<stage2> 

— 

6.  return  ENCsession(agent.psl)  patched  with  key/delay/etc. 

and  register  agent.  Agent  starts  beaconing. 

Module  Categories 


6 ° Currently  have  the  following 

categories  for  modules: 

° COde_execution  - ways  to  run  more  code 

n collection  - post  exploitation  data 
collection 

n credentials  - collect  and  use  creds 

D lateral_movement  - move  around  the 
network 

° management  - host  management  and 
auxiliary 

° persistence  - survive  the  reboot 

° privesc  - escalation  capabilities 

° situational_awareness  - network  awareness 

n t rollonl/Mt  _ t In 


Module  Development 


0 Development  is  extremely  fast  due 
to  the  wealth  of  existing  PowerShell 
tech  and  the  ease  of  development 
in  a scripting  language 

0 Modules  are  essentially  metadata 
containers  for  an  embedded 
PowerShell  script 

° Things  like  option  sets,  needs  admin, 
opsec  safe,  save  file  output,  etc 


management/psinject 


0 First  up:  our  auto-magic  process 

injection  module  for  Empire 
° Takes  a listener  name  and  an  optional 
process  name/ID 

“Uses  Invoke-PSInjectOr  to  inject  our 
Reflective  Pick  .DLL  into  the  host  or 

specified  process 
° The  launcher  code  to  stage  the  agent  is 
embedded  in  the  .DLL 


I nvoke-PS  Injector 


ReflectivePick 


Download  Cradle 


.NET  Assembly 


■sSiWffl 


• ReflectivePick 


• PowerShell  in  LSASS?  LOL 


(Empire:  ) > back 

(Empire:  agents)  > list 


[*]  Active  agents: 


Name 


Internal  IP 


Machine  Name 


RRLEERGPVNY2XHUU 
4S4HV1NX2TMZ2W3M 
HGR1HKRBUCHCWFHH 
DGN2UWAUGWGURE4F 
MAESKKPZLSRVEG3R 
PWLCRNKPWT2LXA2E 
4GC13DXWFATFLRHX 
1LZZZ1EARMRSTPYP 
RHXYMT  G3NSGCMBGS 
SYYHKYNZPUYT3YHD 


192.168.52.210  WIND0WS3 
192.168.52.210  WIND0WS3 
192.168.52.210  WIND0WS3 
192.168.52.210  WIND0WS3 
192.168.52.210  WIND0WS3 
192.168.52.210  WIND0WS3 
192.168.52.210  WIND0WS3 
192.168.52.210  WIND0WS3 
192.168.52.210  WIND0WS3 
192.168.52.210  WIND0WS3 


*DEV\chris 

DEVXchris 


*DEV\SYSTEM 

*DEV\SYSTEM 

*DEV\SYSTEM 

DEVXchris 

*DEV\SYSTEM 

*DEV\SYSTEM 

DEVXchris 


powe rshell/7884 

vmtoolsd/2832 

winlogon/496 

services/556 
explore r/1720 
wininit/452 
spoolsv/1220 
notepad/3828 


(Empire:  agents)  > | 


Invoke-Mim  ikatz 


0 


0 Everyone's  favorite  post- 
exploitation capability 


o 


o 


Not  just  dumping  creds 
° Golden  tickets 
° Silver  tickets 
- PTH 

° Skeleton  key 

Empire  has  Internal  ere 
model 


° Lets  you  easily  reuse  creds  you’ve  stolen 


Questions? 


6 0 Will 

° @harmjOy  | blog.harmjOy.net  | 

WSchroeder  [at]  verisgroup.com 

« Matt 

° @enigmaOx3  I enigmaOx3.wordpress.com  | 
MNelson  [at]  verisgroup.com 

° Empire  | PowerTools 

° github.com/PowerShellEmpire/Empire  | 
git  hub  .com/PowerShellEmpire/PowerTools 
□ www.PowerShellEmpire.com 


